Revision as of 21:03, 4 February 2018

The GDPR was adopted by the European Union on 27 April 2016 and will and become enforceable from 25 May 2018. At that time, it will replace the Data Protection Act.
In the case of a serious breach, maximum penalties are the equivalent of €20 million or 4% of global turnover although it should be noted that, where security and surveillance data breaches are found the penalties are likely to be well below this. Of more concern will be reputational damage via media reports of any data failures.

Personal Data is any information that enables the identity of a person to be established and tells you something about the person and his/her activity.

Under GDPR, the data protection principles are similar to those in the Data Protection Act (DPA), with some added detail and a new accountability requirement to show how you comply with the following principles that data must be;

(a) processed lawfully, fairly and in a transparent manner in relation to individuals

(b) collected for specified, explicit and legitimate purposes

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are pro-cessed

(d) accurate and, where necessary, kept up to date

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

(f) processed in a manner that ensures appropriate security of the personal data

The Information Commissioners Office has various guides and information to help companies prepare for the GDPR implementation.